How to enable notification alert for service principal Risky sign-in detection from workload identity

Question

How to enable notification alert for service principal Risky sign-in detection from workload identity

MOD Administrator 0

How to enable notification alert for service principal Risky sign-in detection from workload identity.
I don't see any options available and if not available in Azure is there any other way we can do that.

0 comments

2 answers

Your answer

Answer 1

Jose Benjamin Solis Nolasco 8,076 Volunteer Moderator

Welcome to Microsoft Q&A,

@MOD Administrator there is no "email alert" button for workload identities in the portal, your best approach is to leverage Diagnostic Settings to send ServicePrincipalRiskEvents to a Log Analytics Workspace, and then create an Azure Monitor Alert Rule based on a KQL query.

Personally, my favorite way to do it is using Diagnostic Settings then send to Log Analytics;

Step by step would look like this for example;

You need to send the Workload Identity Risk data to a destination where you can build an alert.

Go to the Microsoft Entra admin center.
Navigate to Identity > Monitoring & health > Diagnostic settings.
Select Add diagnostic setting.
Give your setting a name (e.g., WorkloadIdentityRisk_Alerts).
Under Logs, select the category: ServicePrincipalRiskEvents.
Under Destination details, check Send to Log Analytics workspace and choose your desired workspace.

Let me know if you need further assistance.

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

MOD Administrator 0 Reputation points

2025-11-18T14:13:28.0533333+00:00

@Jose Benjamin Solis Nolasco Thanks for your answer, could you please help me with the create an Azure Monitor Alert Rule based on a KQL query.
Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator

2025-11-18T14:35:53.85+00:00
I will suggest you two recommendation is going to be pretty easy and fun for you i can guarantee you;

First watch this video will help you learning a little bit the concepts and basics of KQL watch https://www.youtube.com/watch?v=cHH4RkL-9Dg

Then play a lttile bit with Copilot would responde something like this;

Go to the Microsoft Entra admin center.

Navigate to Identity > Monitoring & health > Diagnostic settings.

Select Add diagnostic setting.

Give your setting a name (e.g., WorkloadIdentityRisk_Alerts).

Under Logs, select the category: ServicePrincipalRiskEvents.

Under Destination details, check Send to Log Analytics workspace and choose your desired workspace.

2. Create an Alert Rule in Azure Monitor

Once the data is flowing to Log Analytics, you can create a query-based alert.

Go to your Log Analytics workspace in the Azure portal.

Select Logs and run a Kusto Query Language (KQL) query to test for risky sign-ins. A basic query might look like this:

Code snippet

ServicePrincipalRiskEvents | where RiskLevel == "high" or RiskLevel == "medium" | project TimeGenerated, ServicePrincipalDisplayName, RiskLevel, RiskType, Activity

Once you've tested your query and it returns the results you want to alert on, click New alert rule (or go to Azure Monitor > Alerts > Create > Alert rule).

Condition:

Set the Signal type to Log query.

Set the __Measurement__ to __Table rows__ and use your KQL query above. Set the __Threshold__ and __Logic__ (e.g., __"Number of results"__ __"Greater than"__ __0__ for the __"Check every"__ period). ```- __Actions:__ - Create a new __Action Group__ (or use an existing one). This group defines _what happens_ when the alert fires (e.g., send an email, call a webhook, trigger a Logic App/Function). - Configure the Action Group for __Email/SMS/Push/Voice__ to send a notification to your security team.
Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator

2025-11-19T12:45:23.76+00:00

@MOD Administrator Just following up, Do you need more guidance or assistance ?

Answer 2

A while ago I built something similar for a customer who needed more than just an email notification, they wanted risky service principal sign-ins to trigger an automated response.

Since Entra ID doesn’t provide a native ‘notify me’ switch for workload identity risk, you have to build the signal yourself.

The cleanest approach is:

Enable Diagnostic Settings and send ServicePrincipalRiskEvents into a Log Analytics workspace.

From there, create an Azure Monitor alert that fires whenever a new risky event appears.

Instead of using email only, connect the alert to an Action Group that calls a Logic App.

That Logic App is where you can get creative. For example, your workflow can:

• Automatically disable the service principal until someone reviews it. • Send a Teams or Slack message with the correlation ID and the IP address. • Open a ticket in your SOC system. • Rotate credentials or secrets stored in Key Vault. • Trigger a Sentinel automation rule if you’re using Sentinel. • Send a webhook into whatever automation platform you already use.

This gives you real-time detection and a response flow tailored to how your team works.

So the short answer is: Log --> Alert --> Action Group --> Logic App = full notification plus automated remediation for risky service principal sign-ins.

That’s currently the most flexible and reliable way to monitor workload identity risk in Entra ID.

Share via

How to enable notification alert for service principal Risky sign-in detection from workload identity

2 answers

2. Create an Alert Rule in Azure Monitor

Your answer